Jump to content

Search the Community

Showing results for tags 'cyber attacks'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 11 results

  1. GAO: Electrical Grid's Distribution Systems More Vulnerable Audit Recommends Energy Department Implement Better Protections The U.S. electrical grid's distribution systems that deliver electricity directly to customers are increasingly vulnerable to cyberthreats, and the Department of Energy needs to do more to protect this critical infrastructure, according to a Government Accountability Office audit. The GAO recommends that the Energy Department incorporate the grid's distribution systems into its cybersecurity strategy that already includes the generation and transmission systems. The Energy Department agreed with the recommendation, the audit notes. Although the GAO says it's not clear how threats against distribution systems might affect the grid, it points out that a "coordinated attack on distribution systems could cause outages in multiple areas even if it did not disrupt the bulk power system, according to officials from one national laboratory." Growing Cyber Concerns The electrical grid's distribution systems are increasingly connected to the internet through business networks and remote access tools, making them more susceptible to hacking and cyberthreats, the GAO found. "As a result, threat actors can use multiple techniques to access those systems and potentially disrupt operations," the watchdog report notes. "However, the scale of potential impacts from such attacks is not well understood." The GAO notes that these distribution systems - and the utilities that oversee them - are not subject to mandatory federal security standards. Some states and privately owned utilities, however, have started to incorporate more cybersecurity standards into the oversight of these distribution systems and are hiring more security staff, the audit report notes. Source: GAO Although the Energy Department is planning to implement a national cybersecurity strategy for the entire U.S. electrical grid, the agency has so far paid too little attention to emerging threats that could target distribution systems and the supply chains that support them, the report notes. "DOE has not fully addressed such risks in its plans because it has prioritized addressing risks to the grid’s generation and transmission systems," the audit states. "Without doing so, however, DOE's plans will likely be of limited use in prioritizing federal support to states and industry to improve grid distribution systems' cybersecurity." In previous audits, the GAO found that other parts of the U.S. electrical grid, including generation and transmission systems, are also vulnerable to cyberthreats. Industrial control systems, which help power plants and utilities properly function, are also vulnerable to attack because of their remote access features, the GAO reports (see: GAO Raises Concerns About Power Grid Vulnerabilities). Types of Attacks The GAO audit describes cyberthreats to which the grid's distribution systems could be susceptible over the coming years, especially as more networks are connected to the internet through remote access tools. These include: Spear-phishing emails that contain malicious links or attachments and can serve as a way to gain initial access to a network and allow a hacker to maintain persistence. Attackers taking advantage of vulnerabilities in VPNs and other remote access tools to gain initial access to networks. Government agencies, such as the U.S. Cybersecurity and Infrastructure Security Agency, have warned about flaws in VPNs and other remote access tools (see: VPN Vulnerabilities Put Industrial Control Systems at Risk). Supply chain attacks in which a third-party vendor is compromised and attackers use this as a jumping-off point to target other infrastructure; Attacks targeting industrial control systems that are not "air-gapped" and are connected to the internet through networks on the business side of the utility. "Connected industrial control systems now have given adversaries access to our distribution systems," says Setu Kulkarni, vice president for strategy at WhiteHat Security in San Jose, California. "What is worse is that with such remote access, the relative anonymity and the potential safe harbor, adversaries do not have any deterrent to launching such malicious and potentially profound attacks." Remote Access Concerns The recently thwarted attack against a water treatment facility in Florida illustrates that, indeed, hackers can use remote access tools to access industrial control systems (see: Hacker Breached Florida City's Water Treatment System). It's difficult for organizations supporting critical infrastructure - whether it's the electrical grid or water treatment - to take systems offline to conduct maintenance and ensure that remote access tools are properly configured, says Kevin Dunne, president of the security firm Pathlock. "Many of these systems were built decades ago and are still secured through traditional methods, such as network design and role-based access control," Dunne says. "Many aren't adapted to today's remote access environment, making them prime targets for hackers who can easily gain access to the network with compromised credentials and exploit these legacy systems." Source: GAO: Electrical Grid's Distribution Systems More Vulnerable
  2. 119k Threats Per Minute Detected in 2020 The number of cyber-threats identified and blocked by Trend Micro rose by 20% in 2020 to more than 62.6 billion. Averaging out at 119,000 cyber-threats per minute, the huge figure was included in the company's annual roundup, "A Constant State of Flux: Trend Micro 2020 Annual Cybersecurity Report," released earlier today. Email-borne threats such as phishing attacks accounted for 91% of the 62.6 billion threats blocked by Trend Micro last year. Nearly 14 million unique phishing URLs were detected by the company in 2020, with home networks a primary target. Researchers found cyber-attacks on home networks surged 210% year-on-year in 2020 to just under 2.9 billion, a figure that equates to 15.5% of all homes. The vast majority (73%) of strikes against home networks involved brute-forcing logins to gain control of a smart device or router. The number of newly detected ransomware families increased 34% last year. Researchers noted an increase in the popularity of “double extortion” attacks in which attackers exfiltrate data before encrypting it so they can use the threat of publication to extort money as well as charging for the data's return. Government, banking, manufacturing, and healthcare were the sectors most targeted by ransomware gangs. While a 17% fall in detections of business email compromise (BEC) attacks was recorded, the number of vulnerabilities published by the Zero Day Initiative (ZDI) increased 40% year-on-year. Among the flaws exploited by criminals are some dating back to 2005. “In 2020, businesses faced unprecedented threat volumes hitting their extended infrastructure, including the networks of home workers," said Jon Clay, director of global threat communications for Trend Micro. "Familiar tactics such as phishing, brute forcing and vulnerability exploitation are still favored as the primary means of compromise, which should help when developing defenses.” Clay added that a year into the global health pandemic, organizations around the world should be aware of its impact on cybersecurity risk. “Global organizations have now had time to understand the operational and cyber risk impact of the pandemic," said Clay. "The new year is a chance to adjust and improve with comprehensive cloud-based security to protect distributed staff and systems.” Source: 119k Threats Per Minute Detected in 2020
  3. The COVID-19 outreach is turning out to be not only health, social, and economic hazard but also a cybersecurity crisis. The pandemic has presented new challenges for businesses in the areas of remote collaboration and business continuity. With increased remote working for better business continuity, employees are using numerous Internet tools. As businesses and people have started relying more on technology and are busy fighting with the pandemic, the attackers now have plenty of options to target them more than ever. According to PWC's April report, the number of security threats to the Indian company doubled in March 2020—especially what's more worrying is a 100% rise between March 17 and 20—from Jan 2020. Sanjay Dhotre, the Union Minister of State for Electronics & Information Technology (MeITY), said that India has seen over 350,000 cyberattacks in the second quarter, triple the number of recorded events in the first quarter of 2020. He also highlighted that there were 700,000 cybersecurity incidents until August 2020. Key Cybersecurity Crises in Numbers According to ACRONIS Cyber Readiness Report 2020, 31% of companies worldwide are faced with at least one cybersecurity incident per day. However, India reported twice as many cyberattacks per day, where most of the cyberattacks comprise phishing, DDoS, video conferencing, exploiting weak services, and malware. Image source: Acronis The phishing campaign is the most worrying attack as they attained the peak during this pandemic. Though malware hit fewer numbers, it remains a more critical issue in India – reports almost 2x times Malware issues than the global average. Image source: Acronis Further, 39% of all organizations surveyed experienced video conferencing attack. Among them, India, Canada, Switzerland, and the UK are the most affected countries. Coronavirus themed phishing emails and malicious websites claiming useful information on COVID-19 have emerged as the top threats to the companies. Also, 400,000 new ransomware assaults are recognized from April – June 2020 as per the report of Seqrite. Most of these cyber-attacks were succeeded by obtaining access to a remote system by exploiting vulnerable services. Why is India So Vulnerable to Cyberattacks? Increased use of the Internet and Mobile technology — The NITI Aayog report states that India positions 3rd rank in the list of the highest number of internet users worldwide after the USA & China. With the exponential rise on the Internet and mobile phone users, there is a significant rise in the number of cyberattack incidents in India and globally. Ignoring Internal Security Threats — Enterprises are more focused on guaranteeing business continuity with seamless operations than bridging the gaps in their remote infrastructure. If sensitive data flows between various departments without a proper monitoring and logging process, then it becomes tricky to identify the loopholes in case any attack happens. Confronting External Threats — With the ever-increasing external threats, an organization can't be 100 % prepared. Only a few Indian companies maintain security measures in place like Web Application Firewalls to monitor external threats and stop cyberattack incidents as and when they happen. Detectable Weak Points During Remote Work — The main weak points, which get exposed during the sudden shift to remote work include Weak Authentication Techniques, Insufficient Monitoring, and Exposed Servers (DNS, VPN, RDP, etc.) Moreover, many employees usually ignore personal online security hygiene. With this 'work from anywhere culture,' employees begin to access their personal emails as well as social media sites on their official machine. Overall, with the merging of the personal and work-life online, cyber-attacks can easily occur through unsecured personal accounts. Missing Expertise in Cloud Technology — To ensure ease of accessing the data from any device and anywhere, many companies have adopted cloud technology. However, they don't have adequate in-house resources to manage and protect APIs, SaaS, or containers. The increasing number of poorly configured cloud architectures will inevitably open doors for the attackers. The Pandemic Landscape Demands Modern Protection Here are the golden tips to keep you away from these recent cybersecurity incidents: Train your employees in security principles Be cautious with attachments, links, or text received via emails, especially with a subject line related to COVID-19 Frame robust remote work policy Use only trusted sources like legitimate websites for up-to-date information Don't disclose your financial or personal information in an email or phone calls from unknown persons Encourage the use of office devices only for official purpose Don't reuse passwords between different accounts and applications Take data backups and store it separately Use multi-factor authentication Modernize your stack with Cloud-based WAF, such as AppTrana, a next-generation cybersecurity protection suite that includes vulnerability assessments, virtual patching, zero false positives, DDoS attack prevention, and many more features. The Closure In the cybersecurity space, attackers lead the learning curve, with security professionals following the lead to boost preventive measures. However, with advanced technologies, this scenario begins to change. The next-gen threat monitoring tools and predictive analytics go beyond the rule-based system and detect cyber risks, thereby flags potential threats in a secure and faster way. With adequate nationwide cybersecurity awareness and robust policies in place, companies should be capable of battling cyber threats effectively in the future. Source
  4. Former FBI director Louis Freeh says launching cyber attacks back at China is the only way to stop it hacking commercial secrets Targeted cyber attacks and a strong deterrence capability are the most effective way of preventing China and other countries continuing to steal Australian commercial secrets, according to a former director of the Federal Bureau of Investigation. Louis Freeh, who ran the FBI for almost eight years until 2001, said the threat of criminal charges or jail time would do little to prevent state-sponsored hackers from continuing to steal valuable intellectual property. "It's like trying to serve a subpoena on [Osama] Bin Laden – it's not very effective," Mr Freeh said on the sidelines of a speech in Sydney on Monday night. His comments come as the federal government considers how best to respond to a surge in cyber attacks directed by China's peak security agency over the past year. An investigation by The Australian Financial Review and Nine News confirmed China's Ministry of State Security (MSS), was responsible for the recent wave of attacks on Australian companies. These formed part of what is known in cyber circles as "Operation Cloud Hopper", which was detected by Australia and its partners in the Five Eyes intelligence sharing alliance. The attacks on Australian companies are in breach of an agreement struck between Premier Li Keqiang and former prime minister Malcolm Turnbull in April 2017 to not steal each other's commercial secrets. Filing criminal charges against Chinese hackers, as the US has done over the past year, is one option open to Australia, although Mr Freeh believes a formidable cyber deterrence capability is the best defence. Mr Freeh likened offensive cyber capabilities to the doctrine of mutually assured destruction during the Cold War, which he said ultimately prevented nuclear weapons being used. "All the major powers, including Australia, they know the [cyber] capacity of their adversaries," he said. "They can assess pretty accurately the capacity of their adversaries and allies and that is the single most reason why we have not seen a cyber war …. it's the same reason nobody has fired a nuclear weapon in 75 years." Mr Freeh said countries had the capability to shut down power grids, transport networks and financial systems, but had not done so as it would potentially trigger a far larger retaliatory attack. He said offensive cyber capabilities had been used after attacks in the past, but the response was proportionate. "We've seen enough attacks that have given countries the basis to retaliate and they have in many cases, but the retaliation, if you look at it from 30,000 feet, is very proportionate and very measured given the initial attack." Malcolm Turnbull acknowledged Canberra's offensive cyber capabilities in April 2016, but few other countries have followed this lead. Since that announcement the government said the capability has been used against Islamic State in the Middle East, while also revealing it has established an information warfare division with the Australian Defence Force. "Governments routinely engage in a wide spectrum of cyber operations, and researchers have identified more than 100 states with military and intelligence cyber units," Fergus Hanson and Tom Uren said in a report for the Australian Strategic Policy Institute. Source
  5. Small to mid-sized businesses can keep safe from most cyber attacks by protecting the ports that threat actors target the most. Three of them stand out in a crowd of more than 130,000 targeted in cyber incidents. A report from threat intelligence and defense company Alert Logic enumerates the top weaknesses observed in attacks against over 4,000 of its customers. Top TCP ports attacked According to the report, the ports most frequently used to carry out an attack are 22, 80, and 443, which correspond to SSH (Secure Shell), the HTTP (Hypertext Transfer Protocol), and the HTTPS (Hypertext Transfer Protocol Secure). Alert Logic says that these appear in 65% of the incidents, and it makes sense since they need to be open for communication, be it secured or plain text. Coming in fourth place is the port for Microsoft's Remote Desktop Protocol (RDP), responsible for remote communication between machines. RDP attracted attention this year through multiple patches for vulnerabilities leading to remote code execution (CVE-2019-1181, CVE-2019-1182, and CVE-2019-0708). "As basic guidance, security across all network ports should include defense-in-depth. Ports that are not in use should be closed and organizations should install a firewall on every host as well as monitor and filter port traffic. Regular port scans and penetration testing are also best practices to help ensure there are no unchecked vulnerabilities" - Alert Logic A port tagged as a serious risk is for the File Transfer Protocol (FTP - 20, 21). Active servers were found on printers, cameras, and uninterruptible power supplies, which are estimated to be up to a third of all the FTP servers discovered. The company's recommendation to reduce potential risk from these ports is to maintain up-to-date and harden devices, software or services that rely on these ports in order to close attack avenues. Running ancient software Additional vulnerabilities undermining the security of an organization refer to weak encryption and outdated software, which accounted for 66% and 75%, respectively, of the issues Alert Logic noticed with its customers. The problems keep on piling as the company found that over 66% of the scanned hosts run Windows 7, an operating system (OS) that will no longer benefit from support past January 14, 2020. At the opposite end, Windows Server 2019 is barely seen on SMBs infrastructure. For some reason, Windows XP, which had its final release in 2008 and reached end of support in 2014, continues to be present in a "non-trivial number." Alert Logic says that it even found Windows NT systems (released in 1993) on its customers' network. The risk with running them is that it would make an attacker's lateral movement dead easy. Almost half of all scanned Linux systems ran with an outdated kernel; more specifically, they had version 2.6 that has been out of support for the past three years and has upward of 65 known vulnerabilities. This issue, though, is not as visible as deployed application systems, which hide the underlying OS distribution. Another example of outdated software is the Exchange 2000 email server, accounting for close to a third of all email servers detected. The issue is that the product stopped receiving support in July 2010. The most popular email server with the SMBs monitored by Alert Logic is PostFix, while Exim - the most widespread email server, falls in the last place. Alert Logic says that the data was compiled from 5,000 attacks seen on a daily basis against its customer base over a period of six months, from November 2018 until April 2019. Source
  6. The U.S. Federal Bureau of Investigation (FBI) Cyber Division warned private industry partners of incoming cyberattacks against the US automotive industry targeting sensitive corporate and enterprise data. The Private Industry Notification (PIN) detailing this alert was seen by BleepingComputer after it was issued to partners by the FBI on November 19, 2019. "The FBI has observed incidents since late 2018 in which unidentified cyber actors have increasingly targeted the automotive industry with cyberattacks to obtain sensitive customer data, network account passwords, and internal enterprise network details," the agency says in the PIN. "The FBI assesses the automotive industry likely will face a wide-range of cyber threats and malicious activity in the near future as the vast amount of data collected by Internet-connected vehicles and autonomous vehicles become a highly valued target for nation-state and financially-motivated actors." Financially motivated and state-backed actors taking on more targets The automotive industry is facing an increased barrage of incoming malicious attacks and threats according to the FBI seeing that the wide range and large quantity of information it collects becomes progressively more valuable for threat actors. Extensive amounts and varied types of information gets collected daily from autonomous and Internet-connected vehicles, and the servers it's stored will allow potential attackers to get their hands on the huge trove of data via phishing and brute-force attacks. However, besides the bad actors getting away scot-free with sensitive data, the automotive industry is also facing other types of threats, including but not limited to data destruction following ransomware attacks and persistent unauthorized access to their enterprise networks. The agency says that phishing and brute-force attacks against automotive industry entities from the U.S. have already successfully compromised several organizations and companies during 2019, as CNN also reported. Previous attacks and recommendations To exemplify the dangers lurking in the shadows and eyeing unprepared automotive orgs, the FBI also listed a handful of previous attacks that it was able to detect and observe during 2019: • In 2019, unknown cyber actors conducted a brute force attack against a company’s web-facing employee login application. Cyber actors compromised logins of several accounts to access sensitive data. • In 2019, unidentified cyber actors exploited unpatched operating software vulnerabilities of an organization comprised of multiple office locations and extracted login passwords. The exfiltrated passwords were later used to log into employee accounts on the company’s network to access sensitive data. • In 2019, several automotive company recipients received phishing emails with malicious attachments. Some recipients opened the attachment which enabled macros to run and allowed the cyber actor to gain access and move laterally through the enterprise and exfiltrate sensitive data. • In 2019, unidentified cyber actors gained unauthorized access to employee emails of multiple companies in the automotive industry. Cyber actors created mailbox rules to auto-forward sensitive company communications to non-company email addresses. Cyber actors also gained unauthorized access to email accounts with administrator privileges and conducted fraudulent wire-transfers resulting in financial loss. • Over the course of late 2018 to 2019, several companies in the automotive industry fell victim to both an unidentified ransomware variant and the Ryuk ransomware. The ransomware attacks encrypted data and network servers which impacted the companies’ daily operations. One company paid the ransom, but the attackers did not provide the decryption key; however, the company was partially successful in restoring most of its operations with backed-up data. The FBI also provides some recommendations to automotive companies that want to successfully defend their assets against future cyber attacks. Organizations are advised to always keep operating systems up to date to apply the latest security patches immediately after they're issued, and to use strong passwords, lockout policies, and multi-factor authentication (MFA) to defend against brute-force attacks and protect sensitive info and devices. They are also recommended to back up their data as regularly as possible to prevent data loss following destructive malicious attacks, to protect databases with passwords, and to run an up-to-date anti-malware solution. Employees should also be trained to spot malicious links and attachments delivered via malspam campaigns and alerted when any phishing attacks targeting the org are detected. Additionally, any unusual employee activity such as logins coming from weird IP addresses never used before should be monitored to decrease the response time when dealing with an ongoing attack. Past ransomware, e-skimming, and phishing warnings The FBI also issued a number of warnings in the past to address incoming or ongoing cyber threats targeting the U.S. people, as well as small and medium-sized businesses (SMBs) and government agencies. For instance, in late October, the agency released an advisory on how to build a digital defense against e-skimming, as well as to increase awareness on current e-skimming threats targeting both SMBs and gov't agencies that process online payments. Earlier during October, the FBI's Internet Crime Complaint Center (IC3) published a public service announcement (PSA) on the increasing number of high-impact ransomware attacks targeting both public and private U.S. organizations. Young people from all over the U.S. were also alerted on Twitter in July about sextortion campaigns while another PSA regarding TLS-secured websites being actively used on malicious phishing campaigns was published in June. Source
  7. Cyber-criminals used networks of infected smart devices to conduct DDoS attacks or as a proxy for other types of malicious actions. Kaspersky honeypots – networks of virtual copies of various internet connected devices and applications have detected 105 million attacks on IoT devices coming from 276,000 unique IP addresses in the first six months of the year. This figure is around nine times more than the number found in H1 2018, when only around 12 million attacks were spotted originating from 69,000 IP addresses. Capitalizing on weak security of IoT products, cybercrimanls are intensifying their attempts to create and monetize IoT botnets. Cyberattacks on IoT devices are booming, as even though more and more people and organizations are purchasing ‘smart’ (network-connected and interactive) devices, such as routers or DVR security cameras, not everybody considers them worth protecting. Cybercriminals, however, are seeing more and more financial opportunities in exploiting such gadgets. They use networks of infected smart devices to conduct DDoS attacks or as a proxy for other types of malicious actions. To learn more about how such attacks work and how to prevent them, Kaspersky experts set up honeypots - decoy devices used to attract the attention of cybercriminals and analyze their activities. Based on data analysis collected from honeypots, attacks on IoT devices are usually not sophisticated, but stealth-like, as users might not even notice their devices are being exploited. The malware family behind 39% of attacks - Mirai - is capable of using exploits, meaning that these botnets can slip through old, unpatched vulnerabilities to the device and control it. Another technique is password brute-forcing, which is the chosen method of the second most widespread malware family in the list – Nyadrop. Nyadrop was seen in 38.57% of attacks and often serves as a Mirai downloader. This family has been trending as one of the most active threats for a couple of years now. The third most common botnet threatening smart devices - Gafgyt with 2.12% - also uses brute-forcing. In addition, the researchers were able to locate the regions that became sources of infection most often in H1 2019. These are China, with 30% of all attacks taking place in this country, Brazil saw 19% and this is followed by Egypt (12%). A year ago, in H1 2018 the situation was different, with Brazil leading with 28%, China being second with 14% and Japan following with 11%. “As people become more and more surrounded by smart devices, we are witnessing how IoT attacks are intensifying. Judging by the enlarged number of attacks and criminals’ persistency, we can say that IoT is a fruitful area for attackers that use even the most primitive methods, like guessing password and login combinations. This is much easier than most people think: the most common combinations by far are usually “support/support”, followed by “admin/admin”, “default/default”. It’s quite easy to change the default password, so we urge everyone to take this simple step towards securing your smart devices” – said Dan Demeter, security researcher at Kaspersky Lab. To keep your devices safe follow these tips: 1. Install updates for the firmware you use as soon as possible. Once a vulnerability is found, it can be fixed through patches within updates. 2. Always change pre-installed passwords. Use complicated passwords that include both capital and lower case letters, numbers and symbols if it’s possible. 3. Reboot a device as soon as you think it’s acting strangely. It might help get rid of existing malware, but this doesn’t reduce the risk of getting another infection. 4. Keep access to IoT devices restricted by a local VPN, allowing you to access them from your "home" network, instead of publicly exposing them on the internet. 5. Use threat data feeds to block network connections originating from malicious network addresses detected by security researchers. 6 .Make sure all devices software is up to date. Un-patched devices should be kept in a separate network inaccessible by unauthorized users. Source
  8. By replacing a PC's SPI flash chip with one that contains rogue code, an attacker can can gain full, persistent access. Researchers have found a new way to defeat the boot verification process for some Intel-based systems, but the technique can also impact other platforms and can be used to compromise machines in a stealthy and persistent way. Researchers Peter Bosch and Trammell Hudson presented a time-of-check, time-of-use (TOCTOU) attack against the Boot Guard feature of Intel's reference Unified Extensible Firmware Interface (UEFI) implementation at the Hack in the Box conference in Amsterdam this week. Boot Guard is a technology that was added in Intel Core 4th generation microarchitecture -- also known as Haswell -- and is meant to provide assurance that the low-level firmware (UEFI) has not been maliciously modified. It does this by checking that the loaded firmware modules are digitally signed with trusted keys that belong to Intel or the PC manufacturer every time the computer starts. Bosch, an independent researcher and computer science student at Leiden University in the Netherlands, discovered an anomaly in the Boot Guard verification process while he was trying to find a way to use the open-source Coreboot firmware on his own laptop. In particular, he noticed that after the system verified the firmware and created a validated copy in cache, it later re-read modules from the original copy located in the Serial Peripheral Interface (SPI) memory chip -- the chip that stores the UEFI code. This isn't correct behavior, because the system should only rely on the verified copy after the cryptographic checks are passed. This made Bosch think there might be an opportunity for an attacker to modify the firmware code after it's been verified and before it's incorrectly re-read from SPI memory. He took his findings and an early proof-of-concept implementation to Trammell Hudson, a well-known hardware and firmware researcher whose previous work includes the Thunderstrike attacks against Apple's Thunderbolt technology. Hudson confirmed Bosch's findings and together worked on an attack that involves attaching a programming device to the flash memory chip to respond with malicious code when the CPU attempts to reread firmware modules from SPI memory instead of the validated copy. The result is that malicious and unsigned code is executed successfully, something that Boot Guard was designed to prevent. While the attack requires opening the laptop case to attach clip-on connectors to the chip, there are ways to make it permanent, such as replacing the SPI chip with a rogue one that emulates the UEFI and also serves malicious code. In fact, Hudson has already designed such an emulator chip that has the same dimensions as a real SPI flash chip and could easily pass as one upon visual inspection if some plastic coating is added to it. What are the implications of such TOCTOU attacks? The Intel Boot Guard and Secure Boot features were created to prevent attackers from injecting malware into the UEFI or other components loaded during the booting process such as the OS bootloader or the kernel. Such malware programs have existed for a long time and are called boot rootkits, or bootkits, and attackers have used them because they are very persistent and hard to remove. That's because they re-infect the operating system after every reboot before any antivirus program has a chance to start and detect them. In its chip-swapping variant, Hudson's and Bosch's attack acts like a persistent hardware-based bootkit. It can be used to steal disk encryption passwords and other sensitive information from the system and it's very hard to detect without opening the device and closely inspecting its motherboard. Even though such physical attacks require a targeted approach and will never be a widespread threat, they can pose a serious risk to businesses and users who have access to valuable information. Such a physical compromise could occur in different ways, for example in an Evil-Maid-type scenario where a high value target, like a company's CEO, travels to a foreign country and leaves their laptop unattended in their hotel room. Bosch tells CSO that replacing the SPI memory chip with a rogue one designed to execute this attack would take 15 to 20 minutes for an experienced attacker with the right equipment. Another possibility are supply chain attacks or the so-called "interdiction" techniques where computer shipments are intercepted in transit, for example by an intelligence agency, are backdoored and then resealed to hide any tampering. The documents leaked by Edward Snowden showed that the NSA uses such techniques, and it is likely not the only intelligence agency to do so. Some devices do have tamper-evident seals or mechanisms, but someone with the right resources and knowledge can easily bypass those defenses, Bosch tells CSO. Malicious employees could also use this technique on their work-issued laptops to either bypass access controls and gain administrator privileges or to maintain access to the company's data and network after they leave the company. Such a compromise would survive the computer being wiped and being put back into use. There have been several cases over the years of economic espionage where employees working for various companies were caught stealing trade secrets and passing them to foreign governments or to competitors. What is the mitigation? The two researchers notified Intel of their findings in January and tell CSO that the chipmaker treated the issue seriously and assigned a high severity to it. The company already has patches available for its reference UEFI implementation -- known as Tianocore -- that it shares with BIOS vendors and PC manufacturers. The researchers haven't yet tested the fixes, but at least based on the description they seem comprehensive and should prevent similar attacks in the future. The problem is that distributing UEFI patches has never been an easy process. Intel shares its UEFI kit with UEFI/BIOS vendors who have contracts with various PC manufacturers. Those OEMs then make their own firmware customizations before they ship it inside their products. This means that any subsequent fixes require collaboration and coordination from all involved parties, not to mention end users who need to actually care enough to install those UEFI updates. The patches for the critical Meltdown and Spectre vulnerabilities that affected Intel CPUs also required UEFI updates and it took months for some PC vendors to release them for their affected products. Many models never received the patches in the form of UEFI updates because their manufacturers no longer supported them. The two researchers plan to release their proof-of-concept code in the following months as part of a tool called SPISpy that they hope will help other researchers and interested parties to check if their own machines are vulnerable and to investigate similar issues on other platforms. "I would really like to see the industry move towards opening the source to their firmware, to make it more easy to verify its correctness and security," says Bosch. Source
  9. Kaspersky Lab has discovered a series of targeted attacks on large public health institutions in Russia. The number of hacker attacks on Russian medical institutions has doubled this year. According to Kaspersky Lab, ten major Russian state medical institutions were attacked in spring 2019. The identity of the hackers is still unknown, but the Kaspersky Lab believes that the attackers speak Russian fluently but are outside the country. The main purpose of the attackers is to collect financial documents, contracts for expensive treatment, invoices and other important documentation. Spy software CloudMid has infected computers. Kaspersky lab notes that this is "unique malware" that the company has not met before. CloudMid is sent by e-mail and disguised as a VPN client of one of the Russian companies. After installing CloudMid, the program proceeds to collect documents on the infected computer, for which, in particular, it takes screenshots several times a minute. It is known that the mailing did not become mass, only some organizations received messages. The anti-virus expert of Kaspersky Lab Dmitry Kuznetsov says: "Cyber attackers began to be interested in the health sector. In this case, the attacks were not well technically developed, but they were targeted, and the attackers still managed to get what they wanted.” Another expert at Kaspersky Lab, Alexey Shulmin, added that such attacks would be repeated. Evgeny Gnedin, the head of the Analytics Department of Positive Technologies, said that hacker attacks on medical institutions are becoming a dangerous trend. The expert believes that the low level of security is primarily due to the insufficient allocation of funds for information security in medical organizations. So the attacks on medical institutions will remain relevant in the second half of 2019. According to Andrey Arsentiev, the analyst of the group of companies InfoWatch, cybercriminals have formed groups specializing in attacks of medical institutions, which are aimed primarily at an extensive network of clinics with large volumes of structured personal data of patients. "Protected medical information is one of the most liquid information on the black market, the cost of one record in some cases can be hundreds or even thousands of dollars. In some other cases, hackers may be interested in research conducted in large medical centers, "said the expert. Source
  10. BASF, Siemens, Henkel, Roche target of cyber attacks FILE PHOTO: The chemical company BASF building in Levallois-Perret, near Paris, France, is seen at sunset, November 29, 2018. REUTERS/Christian Hartmann/File Photo FRANKFURT (Reuters) - German blue-chip companies BASF, Siemens, Henkel (HNKG_p.DE) along with a host of others said on Wednesday they had been victims of cyber attacks, confirming a German media report which said the likely culprit was a state-backed Chinese group. Public broadcaster ARD said the hackers used a type of malware called Winnti, which allows attackers to remotely access a victim’s computer network. ARD said an analysis of the malware code showed which companies were targeted by a group likely working for the Chinese government. Alongside the German firms named, companies including drug maker Roche, hotels group Marriott, airline Lion Air, conglomerate Sumitomo, and chemicals group Shin-Etsu were also targeted by the hackers, ARD reported. Industrial conglomerate Siemens, shampoo maker Henkel and Swiss pharma group Roche confirmed that they were affected by “Winnti”, while BASF and Covestro also confirmed that they have been attacked. All said that no sensitive information was lost, while none of the companies commented on whether the attacks had been launched by Chinese hackers. Shin-Etsu, Sumitomo, Lion Air, Marriott and Valve declined to comment or were not immediately available for comment. Earlier this year drugmaker Bayer said it contained a cyber attack it believed was hatched in China, highlighting the risk of data theft and disruption faced by big business. There was also a Winnti attack on computer systems at German technology group ThyssenKrupp in 2016, according to media reports at the time. Source: BASF, Siemens, Henkel, Roche target of cyber attacks
  11. With the rapid growth of the Internet and shopping online it’s no surprise that cyber crime has risen alongside, Philippines has been among countries to identify as the most vulnerable to these cyber-attacks. Some of the most common cybercrimes are identity theft, web server compromise, disruption of online services and malware attacks. Just last week, the Department of Information and Communication Technology (DICT) said that on a scale of A to E with “A” being the highest in terms of cyber-security maturity, Philippines will rank “D” with the tools and technology available. In comparison, countries ranked “A” are those “resilient in times of cyber-attacks.” Last year, a study conducted by Microsoft in Asia-Pacific showed that Philippines were the 8th highest country in terms of coming across a malware- which can attack the operating systems and disable devices. The top 5 most exposed countries include Bangladesh, Cambodia, Indonesia, Myanmar and Vietnam. These countries are most exposed to malicious programs according to the study by Microsoft. In the third quarter of 2015, Philippines ranked 33rd out of 233 countries that were prone to cyber-security threats and this was 10 spots worse from the previous quarter. Kaspersky noted in a report that Philippines experienced a rapid rise in malicious programs for July, August and September in 2015. The report added saying that around 175 of Filipino Internet users were attacked by malicious software. A Kaspersky Lab Southeast Asia official pointed out saying, “From 43rd place to 33rd place in just three months shows that cyber-attacks against the Philippines are accelerating at full speed. The Philippines may not be one of the top targets yet, but there is no doubt that cybercriminals are now noticing the country.” Hopefully the DICT’s launch of a national cyber-security platform this year will help protect the cyber-security initiatives for the future. < Here >
×
×
  • Create New...